Oracle Serious About Java Security–Maybe

Christine Hall

We’re not ready to tell you we think it’s safe to reactivate your Java browser plugin–in fact, just the opposite–but we will say that Oracle is at least giving the appearance they’re now serious about addressing browser-side Java’s safety. Early last week they issued a security patch that fixed either 41 or 42 Java security issues, depending on what website you’re reading.

Excuse us if we don’t seem too impressed. At this juncture all we’re willing to do is say with utmost snark, “It’s about time.”

For more than a year now having Java available to the network has been a dangerous proposition–so dangerous that Homeland Security issued a warning in January urging all U.S. citizens to shut down Java in the browser. Since then, Oracle has issued several security fixes, which still left users vulnerable even though a patch in early February fixed a whopping 50 security holes. Another patch, issued in March, “switched Java security settings to ‘high’ by default,” according to Oracle. This setting requires users to authorize unsigned or self-signed applets before they’ll run.

Oracle’s latest patch, the one with the 41 or 42 fixes depending on who’s talking, offers more of the same according to Sean Michael Kerner in an article posted April 16 on eSecurity Planet. Reporting on a conversation with Hasan Rizvi, Executive Vice President for Oracle Fusion Middleware and Java, he writes:

“With the new Java update, Oracle is now also going to lock down applets and require that code is signed before it can run, even for sandboxed apps.

“‘The majority of the recently disclosed vulnerabilities and vulnerabilities fixed in the Critical Patch Update for Java SE resulted in effectively allowing escape from the sandbox,’ Rizvi said. ‘To a large extent, active exploitations of these vulnerabilities were taking advantage of the legacy practice that allowed sandboxed Java applets and web start applications to run without any warning to the user.’

“Rizvi noted that the signing requirement will improve the security of Java users in a number of ways. For one, it will create some sense of accountability with Java code developers.

“‘Malicious attackers will be required to purchase a code-signing certificate,’ he said. ‘Note that before issuing a code-signing certificate, certificate authorities generally perform certain checks to ensure the identity of the person applying for the certificates.’

“Oracle will be able to identify where the certificate came from and will have the ability to blacklist the certificate and the application.”

[yop_poll id=”8″]

In an article released the same day by Reuters, writer Joseph Menn said that Rizvi indicated users would still be able to override and run unsigned code “if they click to acknowledge the risk …” It’s not exactly clear how this is different from the policy put in place with the patch Oracle issued in March, other than making what was once a “high” security measure now business-as-usual.

Here at FOSS Force we see no reason to take a chance and enable Java in the browser unless it’s an absolute necessity. According to the Reuter’s article, Java is now the most attacked software on the Internet:

“Java was the vehicle for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.”

Our advise on running browser-side Java remains the same as it’s been since Homeland Security issued their advisory back in January. If you don’t need it, keep it disabled. Hardly any websites require Java anymore and having the browser plugin operational only makes you vulnerable. No operating system is safe. In recent months there have been reports of Java exploits being used against all platforms, including OS X and Linux.

Related

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux